A1Ester

**Name of the Vulnerable Software and Affected Versions** Totolink N300RH version 6.1c.1353 B20190305 **Description** OS command injection is possible in the Web Management Interface via the `setPasswordCfg()` function located in the '/cgi-bin/cstecgi.cgi' endpoint. This occurs when the `admpass` argument is manipulated, allowing a remote attacker to execute arbitrary operating system commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.